Azure Active Directory Hybrid Join and Non-Persistent VDI

If you have leveraging Microsoft Teams and Office 365 and Hybrid joined Active Directory Non-Persistent VDIMachines using the Active Directory Connect tool with password hash, it is a bit of challenge to get authentication to Office 365 to work correctly.  If it is not working correctly, you will get a Teams login Prompt and you will be asked to register your machine. In office 365, you will be asked to sign into Office 365 before it will launch correctly. It is not an ideal user experience.

Not that Microsoft will listen to me, but they need to address this issue. You should not have to run the gymnastics below to make this work.  They do support federation with an on-premies ADFS deployment, but I do not like exposing ADFS to the cloud. I like the password has as it provides seamless SSO and does not rely on any on premises infrastructure.

Each time you create a new VDI master image with updates, you will need to follow the process below, to remove machines otherwise they will not hybrid Join to Azure correctly and end-users will be prompted for credentials.

You will need to make sure you have the following command in a machine start-up script, otherwise the VDI's will not rejoin to Azure AD.

dsregcmd.exe /join

Master VDI Image

The first step in getting this to work correctly is to make sure that you remove the master VDI image from Azure before you seal it up. Make sure you are running the following command dsregcmd.exe /leave. After running this command seal your master image.

Script to remove devices out of Azure AD

The next step is to remove the VDI machines from Azure AD. You can log on to go to Azure AD, then devices or you can script the removal. I prefer to script the removal of devices as using the Azure portal is very limiting. It's filter capabilities are weak and the deletion process is cumbersome.

I found sample scripts to perform this function, but I though most sucked as you need the Azure AD Device ID and most scripts assumed you had that already or required an csv file to input machines into a script., I found an easy way to grab the device ID and then use a for loop in powershell to delete the machines

The command listed below will find a single machine.

$VDIDeviceID= (Get-msoldevice -all | Where-Object {$_.DisplayName  -like "Machinename"}).DeviceId

If you want to get the machine ID for a number of machines, you run a query like the one listed below It will find all devices names VDIMachine2 to VDIMachine9

$VDIDeviceID= (Get-msoldevice -all | Where-Object {$_.DisplayName  -like "VDIMachine[2-9]"}).DeviceId

If you have more than 9 machines, this is how you can structure the command, it will look for machines names VDIMachine10-39.

$VDIDeviceID= (Get-msoldevice -all | Where-Object {$_.DisplayName  -like "VDIMachine[1-3][0-9]"}).DeviceId

Once you have the machines you want to delete identified, the command below will remove them. (If you need to identify multiple machines, make sure you run this command after you run a query, otherwise the $VDIDeviceID variable will be overwritten with the new query.

foreach ($Device in $VDIDeviceID) {Remove-MsolDevice -DeviceId $Device -Force}

This is an example of a multi machine removal script.

$VDIDeviceID= (Get-msoldevice -all | Where-Object {$_.DisplayName  -like "VDImachine"}).DeviceId

foreach ($Device in $VDIDeviceID) {Remove-MsolDevice -DeviceId $Device -Force}

$VDIDeviceID= (Get-msoldevice -all | Where-Object {$_.DisplayName  -like "VDImachine[2-9]"}).DeviceId

foreach ($Device in $VDIDeviceID) {Remove-MsolDevice -DeviceId $Device -Force}

$VDIDeviceID= (Get-msoldevice -all | Where-Object {$_.DisplayName  -like "VDImachine[1-3][0-9]"}).DeviceId

To verify the machines have been removed, you can run the command below, it should not return any machines, if it does then the machines have not been deleted.

Get-msoldevice -all | Where-Object {$_.DisplayName  -like "VDIMachine”}

Get-msoldevice -all | Where-Object {$_.DisplayName  -like "VDIMachine[2-9]"

Get-msoldevice -all | Where-Object {$_.DisplayName  -like "dVDIMachine[1-3][0-9]"}

The next step is to let the AD connect connector sync machines to Azure. You can let it run on it's schedule or you can force a delta update. The following is a way to force a delta update. This uses remote powershell to attach to the AD connect box and then it imports the ADsync module and runs the delta sync. You will need rights on the AD connect box to run this command.

Enter-PSSession -ComputerName ADConnectBox

Import-Module ADSync

Start-ADSyncSyncCycle -PolicyType Delta


Once you have completed the delta sync, wait at least 5 to 10 mins for the machines to sync and you should have a properly registered non-persistent VDI.

This has worked well and it saves hours of admin time deleting using the Azure Portal or just simple mistakes due to timing or accidentally not deleting a machine out of the Azure portal.

I hope this helps someone else having trouble with this issue.

TBJ Consulting

TBJ Consulting